1*e4a36f41SAndroid Build Coastguard Worker### 2*e4a36f41SAndroid Build Coastguard Worker### Untrusted apps. 3*e4a36f41SAndroid Build Coastguard Worker### 4*e4a36f41SAndroid Build Coastguard Worker### Apps are labeled based on mac_permissions.xml (maps signer and 5*e4a36f41SAndroid Build Coastguard Worker### optionally package name to seinfo value) and seapp_contexts (maps UID 6*e4a36f41SAndroid Build Coastguard Worker### and optionally seinfo value to domain for process and type for data 7*e4a36f41SAndroid Build Coastguard Worker### directory). The untrusted_app domain is the default assignment in 8*e4a36f41SAndroid Build Coastguard Worker### seapp_contexts for any app with UID between APP_AID (10000) 9*e4a36f41SAndroid Build Coastguard Worker### and AID_ISOLATED_START (99000) if the app has no specific seinfo 10*e4a36f41SAndroid Build Coastguard Worker### value as determined from mac_permissions.xml. In current AOSP, this 11*e4a36f41SAndroid Build Coastguard Worker### domain is assigned to all non-system apps as well as to any system apps 12*e4a36f41SAndroid Build Coastguard Worker### that are not signed by the platform key. To move 13*e4a36f41SAndroid Build Coastguard Worker### a system app into a specific domain, add a signer entry for it to 14*e4a36f41SAndroid Build Coastguard Worker### mac_permissions.xml and assign it one of the pre-existing seinfo values 15*e4a36f41SAndroid Build Coastguard Worker### or define and use a new seinfo value in both mac_permissions.xml and 16*e4a36f41SAndroid Build Coastguard Worker### seapp_contexts. 17*e4a36f41SAndroid Build Coastguard Worker### 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 20*e4a36f41SAndroid Build Coastguard Worker# targetSdkVersion >= 34. 21*e4a36f41SAndroid Build Coastguard Workertype untrusted_app, domain; 22*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 23*e4a36f41SAndroid Build Coastguard Worker# 31 < targetSdkVersion <= 33. 24*e4a36f41SAndroid Build Coastguard Workertype untrusted_app_32, domain; 25*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 26*e4a36f41SAndroid Build Coastguard Worker# 29 < targetSdkVersion <= 31. 27*e4a36f41SAndroid Build Coastguard Workertype untrusted_app_30, domain; 28*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 29*e4a36f41SAndroid Build Coastguard Worker# targetSdkVersion = 29. 30*e4a36f41SAndroid Build Coastguard Workertype untrusted_app_29, domain; 31*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 32*e4a36f41SAndroid Build Coastguard Worker# 25 < targetSdkVersion <= 28. 33*e4a36f41SAndroid Build Coastguard Workertype untrusted_app_27, domain; 34*e4a36f41SAndroid Build Coastguard Worker# This file defines the rules for untrusted apps running with 35*e4a36f41SAndroid Build Coastguard Worker# targetSdkVersion <= 25. 36*e4a36f41SAndroid Build Coastguard Workertype untrusted_app_25, domain; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# system/sepolicy/public is for vendor-facing type and attribute definitions. 39*e4a36f41SAndroid Build Coastguard Worker# DO NOT ADD allow, neverallow, or dontaudit statements here. 40*e4a36f41SAndroid Build Coastguard Worker# Instead, add such policy rules to system/sepolicy/private/*.te. 41